Airborn OS Bloghttp://blog.airbornos.com/
Airborn OS is an in-browser OS and Google Docs alternative that encrypts your files in the browser.enMon, 12 Feb 2018 14:18:42 +0100http://blogs.law.harvard.edu/tech/rssDotclearTransparent Web Apps using Service Workershttp://blog.airbornos.com/post/2017/08/03/Transparent-Web-Apps-using-Service-Worker
urn:md5:002ba2e9a2f0211c7fbfd124e3dc238dThu, 03 Aug 2017 20:44:00 +0200Daniel Huigens <p>TLDR: As has been <a href="https://tonyarcieri.com/whats-wrong-with-webcrypto">written</a> <a href="https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/javascript-cryptography-considered-harmful/">
before</a>, writing web applications that don't trust the server (e.g. by
adding client-side encryption, or storing all data in local storage and never
sending it to the server) wasn't possible before, because the browser requests
the code of the web application from the server every time you open it and
executes it trustingly. We propose a solution, analogous to <a href="https://wiki.mozilla.org/Security/Binary_Transparency">Binary Transparency</a>
on the desktop, using <a href="https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API">Service
Workers</a>, and have implemented it for <a href="https://www.airbornos.com/">Airborn OS</a>.</p>
<h2>Introduction</h2>
<p>Web applications, unlike desktop and mobile applications, aren't normally
<em>installed</em>: the browser downloads the application from the server every
time you open it. As well as advantages, this has some disadvantages: for
example, they don't normally work offline. I say &quot;normally&quot; because in modern
browsers, web applications can partially &quot;install&quot; themselves with Service
Workers. Service Workers sit between the web application and the server and
cache responses so that the app keeps working offline, among other things.</p>
<p>There's also a security disadvantage to downloading the web app every time,
if you want to verify whether you trust its source code: even if you read all
the source code on GitHub, the server could send you a new version tomorrow
with no easy way to notice.</p>
<p>Furthermore, the server could send <em>just you</em> a different version of
the web application tomorrow. There's no way to check that you're getting the
same version as everyone else. This also applies to desktop applications, and
the solution is <em>Binary Transparency</em>, such as <a href="https://wiki.mozilla.org/Security/Binary_Transparency">Firefox is planning to
implement</a>. Basically, every release will be put in a public log, and the
Firefox Updater will check that the new version matches the version in the
log.</p>
<p>Now that we know all the pieces of the puzzle, the question arises: can we
use Service Workers to achieve Binary Transparency? It turns out we can, with
some limitations.</p>
<h2>Implementation</h2>
<p>When the browser requests a file (/ or /main.js, say) the request goes to
the Service Worker. If the SW has a response in cache, it responds with that
immediately. It also requests an up-to-date version from the server. If it
differs from the version in cache (i.e. the web app has been updated), it sends
a request to the GitHub API for a list of files with sizes and hashes on
GitHub. If the response matches, the cached version is updated and the user is
shown this message:</p>
<p><img src="http://blog.airbornos.com/public/transparency_notifications/response_matches.png" alt="response_matches.png" /></p>
<p>That link to GitHub is not just a generic link to the repository: it's a
link to the specific commit with the same code that we received from the server
(the Service Worker verified that). This makes it easy to check whether you
trust the code of the web application.</p>
<p>If the response doesn't match, the user is shown this message:</p>
<p><img src="http://blog.airbornos.com/public/transparency_notifications/response_does_not_match.png" alt="response_does_not_match.png" /></p>
<p>Note that it's not a warning because the user isn't really at risk, because
we still have the old version in cache. If that's not the case (this is the
first time the user opens the web app) this error is shown instead:</p>
<p><img src="http://blog.airbornos.com/public/transparency_notifications/new_response_does_not_match.png" alt="new_response_does_not_match.png" /></p>
<p>Note that while we chose GitHub as a public log, this is not a requirement.
You could check the files against another (possibly cryptographic) log, or
check that they are signed with a given public key, etc.</p>
<h2>What does this guarantee?</h2>
<p>If you trust or verify the Service Worker the first time you get it from the
server, this guarantees that:</p>
<ul>
<li>Unless you've gotten a message saying Airborn OS has been updated*, you're
still running the same code as when you first opened Airborn OS</li>
<li>Unless you've gotten a message saying you should check your trust in
Airborn OS*, you're running the code on GitHub, and therefore the same code
everyone else is running</li>
</ul>
<p>This makes it possible for a security researcher to read the code on GitHub,
publish their results (with inspected GitHub commit) and for everyone to verify
that they're running that same code.</p>
<p>(*) Or a warning, error, or your computer has been hacked, or (for the
second guarantee) if both the server and GitHub have been hacked. However,
notably, the guarantees hold true if the server has been hacked or gone rogue.
If the server has been hacked, the hacker also needs access to GitHub to update
the code for existing users. And if the developer has gone rogue and pushes
malicious code to the server, he also has to push that same code to GitHub,
which makes it possible for observers to detect his rogueness.</p>
<p>Furthermore, we would like to guarantee that a security researcher can
independently verify that all users are running the same code, as long as the
server was not malicious when the users first opened the web app.</p>
<p>However, currently, the server tells the Service Worker which commit on
GitHub each file is coming from. This is necessary, because it's hard to
guarantee that the browser always gets the latest version on GitHub, due to
caches and using a CDN. However, an attacker could hide a commit on GitHub, for
example in an old branch. To solve this, the Service Worker could check that
the commit is in a specific 'release' branch, and either the latest commit or
no more than 24 hours old. We plan to implement this but haven't done so
yet.</p>
<h2>Service Worker lifecycle</h2>
<p>The designers of the Service Worker specification have taken great care to
make sure that a web application cannot permanently break itself using Service
Workers: the browser checks for an update to the SW on every page load, and we
can't prevent the SW from being updated if it has been changed on the server.
Fortunately, both the old Service Worker and the web app get notified when that
happens, so we can notify the user of the update.</p>
<p>However, we can't actually check that the new Service Worker matches the
version on GitHub. We can request the new Service Worker file, of course, but
(at least in Chrome) that issues a separate network request from the request
that Chrome itself used to get the Service Worker, so we can't be sure that the
server replied with the same file.</p>
<p><img src="http://blog.airbornos.com/public/transparency_notifications/response_matches_sw.png" alt="response_matches_sw.png" /></p>
<p>It would be nice if Chrome could put the Service Worker file it got in
network cache, so that the old Service Worker can request it from there. Then,
we can stop showing the relatively unhelpful warning above.</p>
<p>Service Workers also update on Push Notification and Background Sync events.
We currently use neither, but it's worth verifying that browsers starts the old
Service Worker for the event (while updating asynchronously) and sends it an
update event, which is what we want. It's also worth verifying that there's no
other way to trigger an update, especially without starting and notifying the
old Service Worker, since that would be a vulnerability for our use case.</p>
<h2>Previous approaches to Transparent Web Apps</h2>
<p>Previously, some (including Airborn OS) have been using browser addons to
increase the security of their web apps. The obvious disadvantage of this is
that users have to install an addon. Also, you can't install addons on mobile
Chrome and Safari.</p>
<p>I've previously <a href="http://blog.airbornos.com/post/2015/04/25/Secure-Delivery-of-JavaScript">written</a>
about another approach using Certificate Transparency. Basically, the idea is
to put checksums of the files of the web app in the website's certificate.
Thanks to Certificate Transparency, we can check that there's only one
certificate for the website (and by extension, only one version of the
code).</p>
<p>The advantage of that approach is that it's less trust-on-first-use: it can
protect you even the first time you open the web app on a computer. The
disadvantages are that it's less flexible (because it's implemented in the
browser or an addon instead of in the web app), requires more work or tooling
to update the web app, and requires work on the part of browser makers to
implement. The solution using Service Worker, in contrast, can be deployed
today.</p>
<h2>Next steps</h2>
<p>There are many web apps that would benefit from being made transparent:
encrypted chat apps, BitCoin wallets, but also client-side tools such as word
counters and photo editors. Let us know if you're a web app developer and need
help implementing something like this. We would also like to create a library
(maybe with the help from other web app developers) to make that easy. Let us
know if you want to help or have any feedback!</p>The first web application that doesn't trust the serverhttp://blog.airbornos.com/post/2016/02/23/The-first-web-application-that-doesn-t-trust-the-server
urn:md5:b1f6053b7ab3eeebfb4820daae6a6fcfTue, 23 Feb 2016 15:04:00 +0100Daniel Huigens <p><em><a href="https://www.airbornos.com/">Airborn OS</a> is an in-browser OS
and Google Docs alternative that encrypts your files in the browser.</em></p>
<p><strong>TLDR: The latest version of <a href="https://addons.mozilla.org/firefox/addon/hcs-checker/">our Firefox
extension</a> has been approved. It checks the content at <a href="https://www.airbornos.com" title="https://www.airbornos.com">https://www.airbornos.com</a> against a known good
version. This way, you see a warning if anyone in the chain from us to you
wants to, say, steal your password. That could be us, our hosting provider, our
Content Delivery Network (CDN), someone who hacks any of the above, or someone
further down the chain who can get their hands on a certificate for
airbornos.com.</strong></p>
<p>Every so often, someone comes along who wants to make a web application that
can't read the notes you store in it, or view the pictures you store in it, or
something like that. &quot;I'll use a symmetric encryption library! Then user's
notes are secure.&quot; Most of them are promptly redirected to <a href="http://www.matasano.com/articles/javascript-cryptography/">this Matasano
article</a> or some other explanation of the fact that if your users are
entering their password and notes on your website, they have to trust you every
time they do that. So why use encryption at all?</p>
<p>We, too, read the articles. Couldn't we cheat? Maybe we could build a
browser extension? In fact we did, for Firefox. It contains checksums of the
first few files you get from airbornos.com. If any of them don't match, you get
a big error page. Or if the checksums are considered out of date, you get a
smaller warning.</p>
<p>The checksums are considered out of date when a new certificate for
airbornos.com has been generated and is in use. Today, that can be done quite
easily and unnoticed, so the warning shouldn't be taken lightly. However, in
the future, <a href="http://www.certificate-transparency.org/">Certificate
Transparency</a> will notify people when that happens, so that they can check
if a corresponding extension update has been issued.</p>
<p>These first files, checked by the extension, then continue to fetch and
execute further scripts, which are authenticated with the user's password. If
the user wishes, they are asked before updating those further scripts. The
result is that none of the scripts that the server delivers are trusted at face
value.</p>
<p><strong>But Firefox extensions take weeks to update, right? You can't put a
website's checksum in there!</strong><br />
Our experience so far, with three versions of our extension, has been pretty
good. Still, this is a valid concern. The first few files on airbornos.com have
been purposely designed to remain constant. For example, most of the content on
the homepage is loaded in a sandboxed iframe. This has some downsides, but for
us it's worth it.</p>
<p><strong>Nobody wants to install an extension before using a web
app!</strong><br />
We hope that those who care about their security will. However, not everybody
has to install the extension for everybody to benefit: an attacker doesn't know
in advance whether or not you have the extension installed, after
all.<sup>[<a href="http://blog.airbornos.com/post/2016/02/23/#pnote-844947-1" id="rev-pnote-844947-1" name="rev-pnote-844947-1">1</a>]</sup> That means they don't know if their attempt
will go unnoticed.</p>
<p><strong>Does this mean Airborn OS is secure?</strong><br />
Maybe. We would like to have a full audit done of Airborn OS and the Firefox
extension in the future. However, if you install the extension, and disable
automatic updates for Airborn OS, you're <em>probably</em> running the <a href="https://github.com/airbornos">code that's on GitHub</a>.</p>
<p><strong>Can my web app do this too?</strong><br />
Yes. <a href="https://github.com/twiss/hcs-hardcoded-hashes/blob/master/hashes.js">Send a
pull request</a> with your web app's checksums. However, make no mistake: the
files for which you include checksums can't change often.<sup>[<a href="http://blog.airbornos.com/post/2016/02/23/#pnote-844947-2" id="rev-pnote-844947-2" name="rev-pnote-844947-2">2</a>]</sup> So your web app either needs to be very
simple, or you need to build upon this to verify the rest of the web
application in some other way. A simple example would be to check the rest of
the source with the version on GitHub.</p>
<div class="footnotes">
<h4>Notes</h4>
<p>[<a href="http://blog.airbornos.com/post/2016/02/23/#rev-pnote-844947-1" id="pnote-844947-1" name="pnote-844947-1">1</a>] Unless you don't use Firefox. However, in the future we
could solve that by 1) releasing an extension for other browsers or 2)
impersonating other browsers in our Firefox extension for some users.</p>
<p>[<a href="http://blog.airbornos.com/post/2016/02/23/#rev-pnote-844947-2" id="pnote-844947-2" name="pnote-844947-2">2</a>] If you want to help decide on branding for the addon,
or want help with making the first few files of your web app static, shoot me
an email (see GitHub).</p>
</div>A Better Taskbarhttp://blog.airbornos.com/post/2015/12/17/A-Better-Taskbar
urn:md5:e63f37034dae9d4c06a90e9e87c21bc9Thu, 17 Dec 2015 04:47:00 +0100Daniel Huigens <p><em><a href="https://www.airbornos.com/">Airborn OS</a> is an in-browser OS
and Google Docs alternative that encrypts your files in the browser.</em></p>
<p>Normally when I talk to people about certain things in Airborn OS, such as
<a href="https://www.airbornos.com/docs/security">its security</a>, they at
least think it's somewhat complicated, sometimes even overcomplicated. However,
there's one thing I show people that I'm proud of, but they seem to think is
completely obvious and even uninteresting:</p>
<p><strong>When you minimize a window, it's placed on the taskbar in the
location closest to where it was, not next to the previous window.</strong></p>
<p>Please try out the <a href="https://www.airbornos.com/demo">Airborn OS
Demo</a> if it's not clear what this means.</p>
<p>Indeed, it didn't take a long time to come up with this. Nevertheless, I've
never seen it anywhere else.</p>
<p>The main advantage to this is that it makes it easier to find windows you
were previously looking at, which is the purpose of the taskbar.</p>
<p>The main disadvantage is that if all your windows are maximized and you only
have one screen, it doesn't help you. Currently, Airborn OS partially layers
those windows on top of each other so that only the icon is visible. However,
many modern taskbars already only show the icon, so it might actually work well
in that case.</p>
<h3><br />
Thinking further</h3>
<p>How do we make it easy to find windows you were previously looking at?</p>
<p>One counter-question is, &quot;What do we know about the window we are trying to
find?&quot; Every answer to that question points to a window switching
mechanism:</p>
<ul>
<li>Its title
<ul>
<li>Show every window's title on the taskbar</li>
<li>Make a &quot;window search box&quot; in which you can type part of a window's
title</li>
</ul>
</li>
<li>Its icon
<ul>
<li>Show every window's icon on the taskbar</li>
</ul>
</li>
<li>Its location
<ul>
<li>Make windows' position on the taskbar close to their location</li>
<li>Add a mechanism to view and switch to covered windows (e.g., a 3D view
which looks at the desktop at an angle from above)</li>
</ul>
</li>
<li>What it looks like
<ul>
<li>Add a mechanism to view all open windows</li>
</ul>
</li>
<li>That we we were looking at it recently
<ul>
<li>Show a list of windows in order of last focused</li>
</ul>
</li>
<li>Where it always is
<ul>
<li>Allow users to order their window list</li>
</ul>
</li>
</ul>
<p>Obviously, some mechanisms show multiple properties of the window, such as
its icon and title, or its location and what it looks like.</p>
<h3><br />
Invitation to experiment</h3>
<p>Switching windows on many operating systems can still feel a bit behind,
say, switching files in Sublime Text. In any case, there's probably always room
for improvement on every OS.</p>
<p>If you know HTML, CSS and JavaScript, not just Airborn OS's taskbar <a href="https://github.com/airbornos/airbornos/blob/e75846a/laskyawm.css#L177-206">is
written in it</a> — Cinnamon's (the desktop environment by Linux Mint's
developers) <a href="https://github.com/linuxmint/Cinnamon/tree/master/files/usr/share/cinnamon/applets/window-list@cinnamon.org">
is as well</a>, and GNOME 3 allows you to write extensions (including a
taskbar) in JavaScript, too.</p>Dividing Content into Visual Pages in CSShttp://blog.airbornos.com/post/2015/05/08/Dividing-Content-into-Visual-Pages-in-CSS
urn:md5:1503dbb14ec67c5f2a38eae586bcdef8Thu, 21 May 2015 15:06:00 +0200Daniel Huigens <p><em><a href="https://www.airbornos.com/">Airborn OS</a> is a secure
alternative to Google Docs.</em></p>
<p><img src="http://blog.airbornos.com/public/.pages_screenshot_s.jpg" alt="Pages Demo Screenshot" style="float:right; margin: 0 0 1em 1em;" title="Pages Demo Screenshot" /></p>
<p>Unlike Google Docs, Airborn OS (or rather Firetext, the text processing app)
doesn't include a custom renderer for text documents. Instead, it uses the
browser's built-in html viewing and editing capabilities. This means that if we
want to divide content into visual &quot;pages&quot; that correspond to the pages that
would come out of a printer, we'd have to do it in CSS (or a combination of CSS
and JavaScript). Can it be done?</p>
<p>It sure can, with some trickery. The trickery consists of two steps:</p>
<ol>
<li>Divide the content into CSS3 Columns. Thanks to the foresight of the
creators of the Columns spec, <code>column-count: 1</code> happens to do
exactly what we want: divide into columns with a specific width and
height.</li>
<li><del>Rotate the columns so they are under each other instead of next to
each other, and rotate the content so it's the right way up:
<code>writing-mode: vertical-lr</code> and <code>writing-mode: initial</code>.
This tells the browser it should order text (and columns) from top to
bottom.<br />
<br />
Unfortunately, this trickery only works in Firefox and then only if you set
<code>layout.css.vertical-text.enabled</code> to <code>true</code>. If you do
that, you can see a working demo <a href="http://blog.airbornos.com/public/pages_demo.html">here</a>.</del><br />
<br />
This trick <a href="https://bugzil.la/1215787">no longer works since Firefox
40</a>. Instead, you can use transforms to rotate the columns.</li>
</ol>
<p>Even when support is enabled by default in Firefox, there are still unsolved
problems: it's hard to style individual &quot;pages&quot; much further than in the demo
(<code>padding</code>, <code>box-shadow</code> and <code>border</code> don't
work on individual pages; <code>outline</code> does but is buggy). (Edit: the
new <code>box-decoration-break</code> CSS property should solve this, but it's
only supported in Firefox and even there it's <a href="https://bugzil.la/1412146">slightly buggy</a>.) When you enable editing text
more problems arise, for example <a href="https://bugzil.la/1140795">this
bug</a>.</p>
<p>Also, before you use this on your own website, there's a debate to be had if
pages improve readability. Still, it's a cool trick and it's amazing that it
works at all.</p>
<p>For a related technique to show only one page at a time, see <a href="http://www.sitepoint.com/css3-columns-and-paged-reflowable-content/">this
article</a>.</p>Airborn OS as a Secure Alternative to Google Docshttp://blog.airbornos.com/post/2015/04/30/Airborn-OS-as-a-Secure-Alternative-for-Google-Drive
urn:md5:566aa83b4774bdf401522a85c02fb194Thu, 30 Apr 2015 17:45:00 +0200Daniel Huigens <p>Maybe you want something more secure than Google Docs/Drive.<br />
If so, <a href="https://www.airbornos.com/">Airborn OS</a> might be a good
alternative for you.</p>
<p><strong>What is Airborn OS?</strong></p>
<ul>
<li>It's an operating system in the cloud.<br />
It comes with the app &quot;Firetext&quot; to edit text documents.</li>
</ul>
<ul>
<li>It's accessible from any platform.<br />
Like Google Docs, you only need access to a browser to edit your documents.
Unlike Dropbox, you don't need to download and upload your documents to edit
them.</li>
</ul>
<ul>
<li>Your files and apps are all encrypted in the browser.<br />
This makes Airborn OS much more secure than Google Docs.</li>
</ul>
<p><strong>How does Airborn OS realize more security?</strong></p>
<p>The encryption of Airborn OS uses a private key. Every user has their own
private encryption. The encryption is used both for the documents and the code
of Airborn OS to open and edit your documents. So nobody can read your
documents, or change the code to open and edit your documents.<sup>[<a href="http://blog.airbornos.com/post/2015/04/30/#pnote-818456-1" id="rev-pnote-818456-1" name="rev-pnote-818456-1">1</a>]</sup></p>
<p><strong>What can't you do with Airborn OS yet?</strong></p>
<p>Google Docs is a complex product with many features. Airborn OS and Firetext
are still in development and don't have all of them. Here are some things you
can't do with them yet:</p>
<ul>
<li><del>Work together on documents.<br />
Firetext, for now, is an individual app. You can't edit one document with two
people at the same time unless you're sitting next to each other.</del><br />
Airborn OS has collaboration now.</li>
</ul>
<ul>
<li>Spreadsheets <del>and presentations</del>.<br />
<del>With Firetext, for now, you can only upload, create and edit text
documents.</del><br />
Airborn OS has a presentation editor now. Spreadsheets are on the roadmap.</li>
</ul>
<p>In short, <a href="https://www.airbornos.com/">Airborn OS</a> with Firetext
might be a good alternative to Google Docs if you want more security and don't
need all the functionality of Google Docs.</p>
<div class="footnotes">
<h4>Notes</h4>
<p>[<a href="http://blog.airbornos.com/post/2015/04/30/#rev-pnote-818456-1" id="pnote-818456-1" name="pnote-818456-1">1</a>] For more information on how this is made secure see
<a href="http://blog.airbornos.com/post/2015/04/25/Secure-Delivery-of-JavaScript" title="http://blog.airbornos.com/post/2015/04/25/Secure-Delivery-of-JavaScript">
http://blog.airbornos.com/post/2015...</a>.</p>
</div>Secure Delivery of JavaScripthttp://blog.airbornos.com/post/2015/04/25/Secure-Delivery-of-JavaScript
urn:md5:32450b726c17baaa204139db3c58c5dcSat, 25 Apr 2015 17:10:00 +0200Daniel Huigens <p><em><a href="https://www.airbornos.com/">Airborn OS</a> is an in-browser OS
that encrypts your files in the browser.</em></p>
<p>Let's say you wanted, like us, to create a web application that encrypts
your user's data with their password before it stores it on your servers. You
value your user's privacy, after all. Does this buy you anything, though? Not
really. Tomorrow you could change your code to send you your user's password.
Even worse, you could do so for a particular user you're interested in. In
other words, there's no way to securely deliver a web app without trusting the
server.</p>
<p>Yet. What we need, in essence, is an external source that tells us what the
HTML, CSS and JavaScript of the web app should be. People should be able to be
notified when the source changes, in case you changed it to send you their
password, and it should be the same for everybody, so that when one person
checks the source, everybody can be more confident in it. A browser addon, or
eventually the browser itself, could then check the server's responses with
that external source.</p>
<p>One possibility for the external source is the browser addon itself.
However, updates to Firefox addons <a href="https://blog.mozilla.org/addons/2015/04/08/add-ons-update-63/">can take a few
weeks</a> to be approved, which is simply too long when you need to change your
JavaScript (more about that later). Browser updates also take six weeks, if we
ever wanted to build this functionality into the browser.</p>
<p>A more promising possibility is the website's certificate. With the upcoming
<a href="http://www.certificate-transparency.org/">Certificate Transparency</a>
(CT), people will be able to keep track of certificates and be confident that
everyone gets the same certificate. We could use a certificate extension to
store the information we need. Currently, though, no Certificate Authority (CA)
that I'm aware of actually allows you to put arbitrary information in
certificates. One CA we asked worried about CA/Browser Forum requirements. One
CA was willing to do it, but at a large sum per generated certificate, which is
a disincentive you shouldn't want.</p>
<p>Finally, we could do something in between those two possibilities: store the
information in the addon, but allow updating the web app by regenerating a
certificate (which is faster). In other words, pin the information to the
certificate. This is what we currently do for <a href="https://www.airbornos.com/">airbornos.com</a>. We call it &quot;HTTPS Content
Signatures&quot; (HCS) and the addon is <a href="https://addons.mozilla.org/firefox/addon/hcs-checker/">here</a> (<a href="https://github.com/twiss/hcs-checker-firefox/">code</a>).</p>
<p>Once Certificate Transparency becomes a requirement in
browsers<sup>[<a href="http://blog.airbornos.com/post/2015/04/25/#pnote-817893-1" id="rev-pnote-817893-1" name="rev-pnote-817893-1">1</a>]</sup>, this means it's no longer possible to serve
unknown certificates with a website (that's what CT is). That means it's no
longer possible to serve unknown HTML or JavaScript to the browser as long as
every known certificate is listed in the addon (that's what the addon does).
Secure delivery of JavaScript, coming soon!</p>
<p><br /></p>
<p>As promised above, one more note about updating the web app. Having to
regenerate your certificate every time you update your web app is still quite
unfortunate, especially if it means users of the addon are no longer protected.
It might be necessary to reduce the amount of code that is protected this way.
I'll offer two possibilities.</p>
<p>For the homepage and login page, you could separate form from function with
a <a href="https://developer.mozilla.org/docs/Web/HTML/Element/iframe#attr-sandbox">sandboxed
iframe</a>. However, there are many small problems with this to which I have no
solution yet: it complicates scrolling, if you allow navigating the top frame
(for links) that could be abused, and some things can't be moved to an iframe
(e.g. &lt;meta&gt; tags).</p>
<p>For the web app itself, you could protect only a small &quot;loader&quot; and do in it
whatever you want. What we do is decrypt the rest of the code with the user's
password.</p>
<p>This is all by no means an easy or ready-made solution, but for web apps
that are very serious about security, it could be an important building
block.</p>
<div class="footnotes">
<h4>Notes</h4>
<p>[<a href="http://blog.airbornos.com/post/2015/04/25/#rev-pnote-817893-1" id="pnote-817893-1" name="pnote-817893-1">1</a>] Since we have an addon anyway, we could build this
requirement into the addon. We haven't done so yet, though.</p>
</div>